{
	"id": "86f11078-e44a-43e0-a977-65b78d50fbdb",
	"created_at": "2026-04-06T00:21:21.375601Z",
	"updated_at": "2026-04-10T13:11:45.600195Z",
	"deleted_at": null,
	"sha1_hash": "504d619e80122322ff738fe37b4ba65f85b2f5a1",
	"title": "Agenda (Qilin)",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 444106,
	"plain_text": "Agenda (Qilin)\r\nBy SentinelOne\r\nPublished: 2022-11-30 · Archived: 2026-04-05 22:09:03 UTC\r\nAgenda (Qilin) Ransomware: In-Depth Analysis, Detection, and Mitigation\r\nWhat is Agenda (Qilin) Ransomware?\r\nAgenda ransomware was first observed in July of 2022. Agenda is written in Golang and also referred to as\r\n‘Qilin’. Agenda ransomware supports multiple encryption modes; all of which are controlled by the operator.  \r\nAgenda actors practice double extortion – demanding payment for a decryptor, as well as for the non-release of\r\nstolen data.\r\nWhat Does Agenda Ransomware Target?\r\nAgenda ransomware is known to target large enterprises and high-value targets. They have also been known to\r\nfocus on organizations in the healthcare and education sectors in Africa and Asia.\r\nHow Does Agenda Ransomware Work?\r\nAgenda ransomware targets its victims through phishing and spear phishing emails. They are also known to\r\nleverage exposed applications and interfaces such as Citrix and remote desktop protocol (RDP).\r\nAgenda Ransomware Technical Details\r\nhttps://www.sentinelone.com/anthology/agenda-qilin/\r\nPage 1 of 5\n\nAgenda ransomware has some customization options, which include changing the filename extensions of\r\nencrypted files and the list of processes and services to terminate. It supports several encryption modes that the\r\nransomware operator can configure through the encryption setting. The ‘help’ screen displays the different\r\nencryption modes available: skip-step, percent, and fast.\r\nHow to Detect Agenda Ransomware\r\nThe SentinelOne Singularity XDR Platform detects and prevents malicious behaviors and artifacts associated with\r\nAgenda ransomware.\r\nIf you do not have SentinelOne deployed, here are a few ways you can identify Agenda ransomware in your\r\nnetwork:\r\nSecurity Tools\r\nUse anti-malware software or other security tools capable of detecting and blocking known ransomware variants.\r\nThese tools may use signatures, heuristics, or machine learning algorithms, to identify and block suspicious files\r\nor activities.\r\nNetwork Traffic\r\nMonitor network traffic and look for indicators of compromise, such as unusual network traffic patterns or\r\ncommunication with known command-and-control servers.\r\nSecurity Audits\r\nConduct regular security audits and assessments to identify network and system vulnerabilities and ensure that all\r\nsecurity controls are in place and functioning properly.\r\nEducation \u0026 Training\r\nhttps://www.sentinelone.com/anthology/agenda-qilin/\r\nPage 2 of 5\n\nEducate and train employees on cybersecurity best practices, including identifying and reporting suspicious emails\r\nor other threats.\r\nBackup \u0026 Recovery Plan\r\nImplement a robust backup and recovery plan to ensure that the organization has a copy of its data and can restore\r\nit in case of an attack.\r\nHow to Mitigate Agenda Ransomware\r\nSentinelOne Singularity XDR Platform prevents Agenda ransomware infections. In case of an infection, the\r\nSentinelOne Singularity XDR Platform detects and prevents malicious behaviors and artifacts associated with\r\nAgenda ransomware.\r\nSentinelOne customers are protected from Agenda ransomware without any need to update or take action. In cases\r\nwhere the policy was set to Detect Only and a device became infected, remove the infection by using\r\nSentinelOne’s unique rollback capability. As the accompanying video shows,  the rollback will revert any\r\nmalicious impact on the device and restore encrypted files to their original state.\r\nIn case you do not have SentinelOne deployed, there are several steps that organizations can take to mitigate the\r\nrisk of Agenda ransomware attacks:\r\nEducate employees\r\nEmployees should be educated on the risks of ransomware, and how to identify and avoid phishing emails,\r\nmalicious attachments, and other threats. They should be encouraged to report suspicious emails or attachments,\r\nand to avoid opening them, or clicking on links or buttons in them.\r\nImplement strong passwords\r\nOrganizations should implement strong, unique passwords for all user accounts, and should regularly update and\r\nrotate these passwords. Passwords should be at least 8 characters long and should include a combination of\r\nuppercase and lowercase letters, numbers, and special characters.\r\nEnable multi-factor authentication\r\nOrganizations should enable multi-factor authentication (MFA) for all user accounts, to provide an additional layer\r\nof security. This can be done through the use of mobile apps, such as Google Authenticator or Microsoft\r\nAuthenticator, or the use of physical tokens or smart cards.\r\nUpdate and patch systems\r\nOrganizations should regularly update and patch their systems, to fix any known vulnerabilities, and to prevent\r\nattackers from exploiting them. This includes updating the operating system, applications, and firmware on all\r\ndevices, as well as disabling any unnecessary or unused services or protocols.\r\nhttps://www.sentinelone.com/anthology/agenda-qilin/\r\nPage 3 of 5\n\nImplement backup and disaster recovery\r\nOrganizations should implement regular backup and disaster recovery (BDR) processes, to ensure that they can\r\nrecover from ransomware attacks or other disasters. This includes creating regular backups of all data and systems\r\nand storing these backups in a secure, offsite location. The backups should be tested regularly to ensure that they\r\nare working and that they can be restored quickly and easily.\r\nQilin (Agenda) Ransomware FAQs\r\nWhat is Qilin (Agenda) Ransomware?\r\nQilin, also known as Agenda, is a ransomware family that first appeared in July 2022. It’s written in Go (Golang)\r\nand later versions in Rust, allowing for cross-platform attacks. Qilin operates as a Ransomware-as-a-Service\r\n(RaaS), enabling affiliates to customize attacks based on specific environments. The ransomware employs double\r\nextortion tactics, encrypting files and threatening to release stolen data if the ransom isn’t paid.\r\nWho is behind the Qilin (Agenda) Ransomware group?\r\nQilin operates as a Ransomware-as-a-Service (RaaS) affiliate program. The group’s origins are linked to Russian-speaking cybercriminal forums, where they recruit affiliates to deploy ransomware attacks. Affiliates receive a\r\npercentage of the ransom payments, typically between 80-85%.\r\nHow does Qilin (Agenda) Ransomware spread?\r\nQilin ransomware spreads through phishing and spear-phishing emails containing malicious attachments or links.\r\nIt also exploits exposed applications and interfaces, such as Citrix and Remote Desktop Protocol (RDP), to gain\r\ninitial access. Once inside, it leverages tools like Cobalt Strike for deployment and lateral movement within the\r\nnetwork.\r\nWhich operating systems are targeted by Qilin (Agenda) Ransomware?\r\nQilin ransomware targets multiple operating systems, including Windows and Linux. It has been observed\r\npropagating to VMware vCenter and ESXi servers, affecting virtual environments. The use of Go and Rust\r\nprogramming languages allows for cross-platform compatibility, enhancing its reach.\r\nWhat types of files does Qilin (Agenda) Ransomware encrypt?\r\nQilin ransomware encrypts a wide range of file types, focusing on documents, databases, images, and other critical\r\ndata. It will disrupt operations and pressure victims into paying the ransom to regain access to their essential files.\r\nWhat encryption algorithms does Qilin (Agenda) Ransomware use?\r\nQilin ransomware employs multiple encryption algorithms, including ChaCha20, AES-256, and RSA-4096.\r\nDoes Qilin (Agenda) Ransomware disable security tools and antivirus software?\r\nhttps://www.sentinelone.com/anthology/agenda-qilin/\r\nPage 4 of 5\n\nYes, Qilin ransomware attempts to disable security tools and antivirus software to evade detection and facilitate its\r\nencryption process. It may terminate specific processes and services, delete system logs, and use obfuscation\r\ntechniques to avoid identification by security solutions.\r\nWhat security best practices help prevent Qilin (Agenda) Ransomware infections?\r\nGood security practices to prevent Qilin ransomware infections include conducting regular security audits,\r\nmonitoring network traffic for unusual activity, and segmenting networks to limit lateral movement. Ensure that\r\nRemote Desktop Protocol (RDP) and other remote access points are securely configured and monitored.\r\nCan EDR solutions stop Qilin (Agenda) Ransomware?\r\nYes. SentinelOne Singularity XDR can stop Qilin (Agenda) ransomware attacks.\r\nSource: https://www.sentinelone.com/anthology/agenda-qilin/\r\nhttps://www.sentinelone.com/anthology/agenda-qilin/\r\nPage 5 of 5",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"MITRE"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://www.sentinelone.com/anthology/agenda-qilin/"
	],
	"report_names": [
		"agenda-qilin"
	],
	"threat_actors": [],
	"ts_created_at": 1775434881,
	"ts_updated_at": 1775826705,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/504d619e80122322ff738fe37b4ba65f85b2f5a1.pdf",
		"text": "https://archive.orkl.eu/504d619e80122322ff738fe37b4ba65f85b2f5a1.txt",
		"img": "https://archive.orkl.eu/504d619e80122322ff738fe37b4ba65f85b2f5a1.jpg"
	}
}